Buyout Firms Must Take Action to Respond to Global Cyber Threats

Cybercrime has become a critical issue for buyout firms as hackers are increasingly targeting sensitive business data to profit from insider knowledge. According to a Private Funds Management survey of 91 PE houses, 54% of PE firms said they had been hit with a cyberattack, while 45% said cybersecurity was a high threat to business operations. Despite this, 66% of PE firms said their cybersecurity programme was only partially implemented.

Buyout Firms Are Vulnerable

Click for larger image

If a PE firm falls victim to a cyberattack, highly sensitive information is likely to leak. This is problematic, especially in cases of listed buyout firms where performance data will be market sensitive, or in public- to-private transactions where any leak is price sensitive. Even where entities are not listed, buyout firms hold valuable information, not only on acquisition targets and portfolio companies, but also on their investors, which may include sovereign wealth and pension funds.

In our view, cybersecurity needs to be a priority for PE firms. However, many PE firms may have a limited number of IT support staff and a small budget to fight cybercrime. In order to combat the growing threat, this will need to change.

Why Cybersecurity Matters

As PE firms build their reputations on their professionalism, cyberattacks have the potential to cause long-term damage. Security breaches damage investor relations and can harm future fundraising efforts. A significant cyberattack also has the ability to affect firm or portfolio company value. Earlier this year, Verizon reportedly cut its valuation of Yahoo by US$350 million after the late disclosure of two data breaches.

Regulators are also taking notice. The Financial Conduct Authority (FCA) published guidance in May 2017 stating that “cyber risks pose a threat to all financial services firms”, which should be “able to defend themselves effectively”. Under Europe’s upcoming General Data Protection Regulation, data controllers are required to report a breach within 72 hours if certain conditions are met. Failure to provide adequate security can lead to fines of up to 4% of a company’s annual turnover or €20 million, whichever is higher. In the UK, “material cyber incidents” must also be reported to the FCA.

What Can Buyout Firms Do?While PE firms are often focused on cyber defence for their portfolio companies, they should also pay attention to their own cyber defences. PE firms should ensure they have a comprehensive enterprise-wide plan to deal quickly and effectively with an attack. Key stakeholders should be trained on the plan through “table top” exercises simulating cyberattack scenarios to ensure optimal response when facing an actual attack.

Conduct a Risk Assessment: Identify what types of sensitive data are stored, where this data is stored on systems and how it is protected. Identify threats or vulnerabilities to sensitive data. Document the costs versus the benefits of additional security measures.

Develop an Incident Response Plan: Identify members of the response team and their roles. Classify the types of incidents that will trigger the plan and how these incidents will be escalated internally. Identify when external parties should be notified and how/when these notifications should be made.

Identify and Manage Third-Party Risks: Identify third parties with access to or control over systems or data. Ensure that this access is strictly limited to business need.

Finally

It is often said that there are two kinds of companies: those that have already suffered a data breach and those that will suffer one. PE firms must be aware of the fact that they are attractive targets, and ensure that they have adequate defences and effective incident response plans in place.

The purpose of this communication is to foster an
open dialogue and not to establish firm policies or
best practices. Needless to say, this is not a substitute
for legal advice or reading the rules and regulations
we have summarized. In any particular case, you should
consult with lawyers at the firm with the most experience
on the topic. Depending on your specific situation,
answers other than those outlined in this blog may be
appropriate. Your use of this blog site alone creates
no attorney client relationship between you and Latham & Watkins LLP.
Do not include confidential information in comments or other
feedback or messages left on the Latham.London Blog, as these
are neither confidential nor secure methods of communicating
with attorneys.

Latham & Watkins operates worldwide as a limited liability partnership organized under the laws of the State of Delaware (USA) with affiliated limited liability partnerships conducting the practice in France, Italy, Singapore, and the United Kingdom and as an affiliated partnership conducting the practices in Hong Kong and Japan. Latham & Watkins operates in South Korea as a Foreign Legal Consultant Office. Latham & Watkins works in cooperation with the Law Office of Salman M. Al-Sudairi in the Kingdom of Saudi Arabia.